Life has become less secure in the last few years. Not only do we have to deal with what seems to be a much higher risk of terrorist outrages but the cyber world has also become less safe. Take, for example, the recent major systems and computer failures affecting banks, British Airways and the National Health Service.
There is also the problem of internet-based fraud, with many thousands of ordinary people falling victim to scams.
One common scam involves bank customers being duped into making transfers to the fraudster’s account. In the typical case, the fraudster disappears with the money immediately.
Once the customer realises what has happened, the money has gone and the bank refuses to accept responsibility because it says it was simply obeying the customer’s instruction to pay.
On closer examination, however, there are good legal reasons for saying the banks should be held responsible. In any event, they should improve the way in which they process instructions to make payments via their online banking systems. This would drastically reduce the number of successful frauds.
A case study
Here is an example of such a scam. A customer needs to make a large payment to his builder. The genuine builder sends the customer an invoice by email for, say, £25,000. He also sends the customer the details of his bank account. Before he is able to pay, a fraudster sends the customer an email, apparently from the builder, saying he has had to change his banking details for a number of reasons, and gives the customer the details of a different account.
As is often the case, in this example, the bank has both accounts – the customer’s and the fraudster’s.
The usual bank’s online form requires the customer to provide the following information about the payee:
- The name of the payee
- The name of the payee’s bank
- Its sort code
- The account number.
In good faith, the customer completes an instruction to pay the money to the genuine builder by name but giving the fraudster’s account number and sort code.
When the bank receives the customer’s instruction to pay, it transfers the £25,000 to the fraudster’s account. The latter then withdraws the money and disappears.
On discovering what has happened, the customer claims the money from the bank. But the bank says it paid the correct account identified only by its number and sort code. It did not check the name of the account holder. Banking practice in the UK and EU does not require it to do so. Thus the bank denies liability for the loss.
Almost certainly, the customer was unaware of the limited checking process undertaken by the bank. Of all the information he supplied to the bank, the one piece he regarded as important was the name of the genuine builder. Why was it not checked?
The bank has to act in accordance with the Payment Services Regulations. These require the bank to comply with its customer’s instructions to pay to the account which has been unambiguously identified in the payment instruction.
The banking system has been designed so the combination of sort code and account number relates to only one account. Hence the practice of only checking the account number and sort code.
In this case, however, the name of the account or the name of the account holder would have been different from the genuine account and its holder. There is thus an inconsistency in the information provided by the customer and, if the bank had checked the name, it would have discovered that. In that situation, as a minimum, the bank should have referred back to the customer. If it had done so, the fraud would have been revealed and foiled.
It seems a small thing for the bank to do – to check the consistency of all the information it has asked for and which has been supplied to it by its customer.
The Payment Systems Regulator, which has the duty of enforcing the regulations, should act to make all banks carry out proper checks to ensure consistency in all the information at the bank’s disposal. Relying just on the account number and sort code is not good enough, particularly because this kind of fraud is now so common.
The bank is also under a positive common law duty to protect its customer from fraud. In this case, the bank had information which should have put it on enquiry as to whether the correct account to be credited was the genuine builder’s or the fraudster’s. The bank should have checked. If it had done so, the fraud would have been prevented. The bank was therefore liable.
Peter Hamilton is a barrister specialising in financial services at 4 Pump Court and co-founder of moneymatterslegal.co.uk